The good news for the moment is that the North Korean attack on Sony Pictures is in the headlines and has the nation discussing cyber security issues. The bad news is that neither the press nor the government is placing the Sony attack in context. Considering the Sony case in isolation is equivalent to looking at a single piece on a chessboard, hardly an effective way to evaluate our predicament or assess what we need to do to prevent further losses. So let’s take a step back and briefly review the big picture, economically, militarily and politically, in which the Sony attack resides.
The Director of the FBI, James Comey, has said that there are two kinds of US corporations, “Those that know they’ve been hacked and those that don’t.” Indeed, penetrations of corporate information systems are so widespread, persistent and severe that government agencies and cyber security firms such as Symantec independently estimate America is losing “hundreds of billions” of dollars in intellectual property per year. A more modest and more recent estimate by the Center for Strategic and International Studies (CSIS) places the figure at $100 billion annually. Either way, the costs are enormous. In connection with these losses the recently retired Director of the National Security Agency has stated, “In fact, in my opinion, it’s the greatest transfer of wealth in history,”
A telling statistic comes from a 2012 study of cyber crime by the Pokemon Institute. The Institute tracked the experience of 56 US organizations in various industries and found, “The companies in our study experienced 102 successful attacks per week and 1.8 successful attacks per company per week.” The average annualized cost per company included in the survey was $8.4 million.
Admittedly, estimates of US data losses and their economic impacts are guesstimates, if only because we don’t know how many attacks remain undetected, but by any measure the losses are staggering. To put this massive hemorrhage of proprietary data in context, consider by contrast the costs of the terrorist attacks that destroyed the World Trade Towers:
- Loss of buildings and aircraft (~$5 billion);
- The invasion of Afghanistan (~$40 billion);
- Property damage ($10 billion);
- Insurance losses (~$40 billion);
- Lost wages (~$17 billion);
- Losses to the City of New York (~$100 billion)
All told, the costs of September 11 amounted to roughly $200 billion. Hence, if the higher government and industry estimates of the economic costs of data theft are correct, the US is suffering the economic equivalent of a 9/11/2001 terrorist attack every year. Even the lower estimates correspond to the total losses suffered by the City of New York in 2001.
In addition to the theft of sensitive US proprietary information, often by foreign states such as China and Russia, there is a burgeoning criminal industry preying on US merchants and consumers. Statistics from the Department of Justice reveal that over 7% of US households, representing more than 11,000,000 Americans, suffered some form of identity theft in 2014. The total financial loss from identity theft alone exceeded $24 billion in 2014, nearly double the amount lost in 2010.
From even this brief overview the economic losses suffered by Sony Corporation take on a new light. By some estimates, the costs to Sony could stretch to as much as $100 million. At most, this is perhaps 1% of the costs US companies will incur this year due to computer compromises. In sum, Sony’s losses are neither surprising nor unprecedented, merely a salient example of corporate vulnerability and the fact we are continuing to erect our massive information economy on sand.
National Security Risks
The US military, by design, is more dependent on information technology than any potential adversary. This is a result of the fact that during the cold war, after the draft ended, policymakers in the Department of Defense recognized that the US could not hope to defeat a Soviet invasion of Western Europe by matching our adversary man for man or tank for tank. Fighting halfway round the world, with extended logistics lines, opposing a numerically superior enemy required the substitution of technology for mass. Thus began the commitment to improved intelligence and communications technologies together with stealth aircraft and precision weaponry. If the US is ever forced to confront a major power such as Russia or China on their turf or adjacent seas, and the information technology that underpins this high-tech approach to warfare is compromised, disaster could follow. Regrettably this is already happening.
For example, the massive compromise of NSA programs by Edward Snowden, due to inadequate network security safeguards at NSA, has undermined a stunning range of intelligence collection programs and capabilities; alienated some of our closest allies; severely damaged US industry cooperation with Uncle Sam and caused communications vendors around the world to adopt encryption standards that make US intelligence collection fundamentally more difficult and expensive. As this case so amply demonstrates, even a single network breach can have profound impacts on national security. It is ironic this breach happened at NSA, since NSA is not only America’s premier electronic intelligence gathering organization but also the organization charged with managing cyber security for the US military. Yet, although the damage to the Intelligence Community has been profound and unprecedented, there was no effort by either Congress or the President to hold the Director of NSA or any of his subordinates accountable. Surely this is another sign we are not serious about cyber security.
Other national security compromises related to data loss are less prominent but potentially just as significant. One of the crucial reasons for the stunning success of the US military, when confronting adversaries such as Saddam Hussein, has been our detailed understanding of adversary weapons systems. So for example, during the invasion of Iraq, when confronted by Saddam Hussein’s Russian made missiles, tanks and aircraft, the odds were tilted in our favor. Now the tables are turning. For example, according to the Pentagon, Chinese hackers have stolen design information for more than twenty-four major US weapons systems. Examples include Army and Navy missile defense systems, the Navy’s new littoral combat ship, and the $1.4 trillion F-35 Joint Strike Fighter. The loss of this information places US weapons systems and personnel at risk while saving China billions in weapons development costs.
Meanwhile, we know that other countries have been extensively and systematically probing the sorts of infrastructure facilities traditionally targeted in strategic bombing campaigns – power generation; energy production; electrical grids; water distribution; and telecommunications networks. It’s far easier to target and penetrate corporate networks, via email, web exploits, and other means, than it is to penetrate and manipulate infrastructure systems, but the effort to do so is ongoing. Last year alone the government responded to 256 incidents involving penetrations of industrial control systems. The American homeland has been shielded from foreign attack by our military and the vastness of the oceans since the war of 1812. Those barriers will not protect us from attacks on the homeland in the future. Here, the Sony case is relevant, because if one of the world’s most isolated and backward nations could successfully seize control of the networks of a leading US corporation, and intimidate an entire industry to the point of suppressing the release of a feature film, one can well imagine what havoc a more sophisticated adversary might wreak in wartime.
Warfare, as we all know, is the pursuit of political objectives by military force. When nations can achieve their political objectives by less costly means, including deception and covert action, they naturally do so. In that regard, America’s massive cyber vulnerabilities provide a wealth of opportunities for other nations to exploit in order to influence and manipulate our government and institutions.
The North Korean attack on Sony provides a case in point. The goal was political, to suppress the release of a Hollywood movie. The method involved hacking into Sony’s computer network and threatening movie distribution companies. Regrettably, the attack proved highly effective. The attack on Sony was hardly subtle and North Korea’s attempt to conceal its role by hiding behind the “Guardians of Peace” hacking group failed. Unfortunately, covert operations undertaken by more sophisticated foreign groups and governments are far harder to detect and prevent.
In short, as long as our information systems remain porous, opportunities for sophisticated foreign intelligence services to secretly influence US policy will abound. For example, a foreign government wanting to silence a prominent American critic or policymaker might task its intelligence services to search the private communications of that individual for improprieties that could provide leverage, or if exposed, damage or discredit the individual. If the target is clean, no problem, having gained access to their machine the perpetrators can simply use it to visit child porno sites or chat rooms then, while still concealing their role, ensure that the information is provided to law enforcement officials or the press. Today, policymakers in every branch of the US government as well as the press are vulnerable to such attacks if the devices they use connect to the Internet. Of course access to corporate and government networks, in addition to individual devices, provides a far wider range of opportunities for mischief. Ask any professional involved in covert activities today and they will confirm the game is well underway.
America’s nuclear arsenal is essential to deter the use of nuclear weapons by other nations, but the weapons we routinely use to engage terrorist organizations lie at the opposite extreme: they are highly surgical (e.g. drones and special operations forces). Intelligence, special operations forces and related capabilities have understandably been growth areas for military spending in recent years as we engage terrorist threats. I digress simply because today digital weaponry is following a similar evolutionary path. As noted above, advanced nations are developing the ability to launch attacks that could disable entire telecommunications networks or energy grids, if only to deter similar attacks by their rivals. But the routine use of offensive cyber capabilities by nation states will increasingly be highly precise and surgical, aimed at achieving political objectives through manipulation of foreign individuals and institutions. This is indeed the future of information warfare, and our pervasive computer vulnerabilities create opportunities our adversaries cannot be expected to resist.
Regrettably it sometimes takes a bloody disaster to spur the nation to confront emerging threats. For example, it took the attack on Pearl Harbor to finally compel America to confront the twin threats posed by Nazi Germany and Imperial Japan. Similarly, notwithstanding numerous intelligence warnings of a major pending terrorist attack, nothing was done to strengthen airline or border security, much less go on the offensive against Al Qaeda, until America suffered the loss of over 3000 lives and the destruction of the World Trade Towers on September 11th, 2001.
As terrorism and the Ebola virus have clearly demonstrated, when Americans perceive a threat to their safety they demand action from their government. That is precisely where we are falling short with regard to cyber security and the need for reform – the impacts are massive, they are corroding the sinews of our economy and our institutions, placing a mortgage of uncertain interest on the future, but there is no gruesome feature footage to display on the evening news. As one pundit has pointed out, twice as many Americans have been married to Larry King as have contracted the Ebola virus, yet the public is terrified of Ebola while seemingly unconcerned by the fact that our society is now existentially dependent on a highly penetrated and grossly insecure technology.
No matter how many millions of Americans suffer credit card and identity fraud; no matter how many companies suffer extensive financial losses; no matter how many vital intelligence or military programs are compromised; most Americans simply won’t engage until they feel their personal safety is threatened. This is where leadership makes all the difference. Policymakers and leading citizens who have the time and temperament to dig into this arcane issue, and weigh the national interest, must engage and lead. We are a digital society, ever more so, and we badly need to harden our vital but vulnerable digital infrastructure.
If there was nothing that could be done, inaction might be excused. But the fact is, there are a range of actions that can readily enhance our security. For example:
–Our dysfunctional Congress might at long last pass cyber security legislation to facilitate information sharing between the US government and the private sector. This is utterly non-partisan and clearly in the national interest.
— We have highly detailed fire and construction standards even for small public buildings in the US. For example, I recently visited a small daycare center for 10 children, with three rooms, none further than 10 feet from a door, that was required to install a $50,000 sprinkler system. Yet, no one has thought to mandate safety and security standards for the information systems of even our largest public corporations. The federal government ought to do so. Short of that, it could at least mandate that corporate websites display a symbol showing an information security ranking so consumers and business partners could make a risk assessment before sharing data or engaging in a transaction. Criteria might include such things as double authentication, end point security, heuristic malware detection technology etc. Implementation of end point security software alone, such as that produced by US companies such as Invincea and Bromium, could by itself stop the most common hacking techniques in use today (e.g. the threats posed by phishing, corrupt attachments and malicious websites). In any event, these details can be easily worked out.
— The federal government can and should do more to pressure states that engage in widespread hacking and/or harbor cyber criminal organizations. We might, for example, if they are unwilling to extradite suspects or crack down on such groups, impose targeted sanctions; limit travel by the leadership, elevate the issue in bilateral discussions or more aggressively retaliate against the perpetrators with cyber counterattacks.
We’re the nation that invented the Internet and first landed on the moon. There is little we can’t achieve when we make it a national priority. Increased spending on cyber security R&D and a focused national program aimed at strengthening Internet security should be a priority.
Certainly there will be some cost and inconvenience, just as we now have to remove our shoes at the airport. But we all recognize the unfortunate necessity of airport security and these measures have proven very effective. This really isn’t so hard. America can do this if we only recognize the need.
The Sony case is interesting and in some respects unique. It represents an escalation in the sense that North Korea publicly humiliated Sony, rather than merely pilfering its data as most hackers do, and the goal, which was achieved, was purely political. It’s a taste of things to come. But in the big picture it’s barely a blip, a sip from a massive flow of household, corporate and government data losses that are plaguing the nation. We can act now to stem the tide, or, as we did in the summer of 2001, wait until some disaster befalls the nation.
About Chris Mellon:
Chris Mellon has served as the Deputy Assistant Secretary of Defense for Security and Information Operations; Deputy Assistant Secretary of Defense for Intelligence; and Minority Staff Director of the Senate Intelligence Committee. He is presently a private equity investor residing near Pittsburgh PA. Find Chris on LinkedIn here.